npm - @zereight/mcp-gitlab - Versions diffs - 2.0.6 → 2.0.8 - Mend

@zereight/mcp-gitlab 2.0.6 → 2.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +119 -1
package/build/index.js +721 -68
package/build/schemas.js +165 -2
package/build/test/clients/custom-header-client.js +122 -0
package/build/test/remote-auth-simple-test.js +215 -0
package/build/test/remote-auth-tests.js +315 -0
package/build/test/utils/mock-gitlab-server.js +275 -0
package/build/test/utils/server-launcher.js +10 -4
package/package.json +3 -2
package/build/test/comprehensive-mcp-tests.js +0 -378
package/build/test/simple-mcp-tests.js +0 -190

package/build/index.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+import { AsyncLocalStorage } from "async_hooks";
 import express from "express";
 import fetchCookie from "fetch-cookie";
 import fs from "fs";
@@ -29,7 +30,7 @@ GitLabDiscussionNoteSchema, // Added
 GitLabDiscussionSchema,
 // Draft Notes Schemas
 GitLabDraftNoteSchema, GitLabForkSchema, GitLabIssueLinkSchema, GitLabIssueSchema, GitLabIssueWithLinkDetailsSchema, GitLabMarkdownUploadSchema, GitLabMergeRequestSchema, GitLabMilestonesSchema, GitLabNamespaceExistsResponseSchema, GitLabNamespaceSchema, GitLabPipelineJobSchema, GitLabPipelineSchema, GitLabPipelineTriggerJobSchema, GitLabProjectMemberSchema, GitLabProjectSchema, GitLabReferenceSchema, GitLabRepositorySchema, GitLabSearchResponseSchema, GitLabTreeItemSchema, GitLabTreeSchema, GitLabUserSchema, GitLabUsersResponseSchema, GitLabWikiPageSchema, GroupIteration, ListCommitsSchema, ListDraftNotesSchema, ListGroupIterationsSchema, ListGroupProjectsSchema, ListIssueDiscussionsSchema, ListIssueLinksSchema, ListIssuesSchema, ListLabelsSchema, ListMergeRequestDiffsSchema, // Added
-ListMergeRequestDiscussionsSchema, ListMergeRequestsSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListPipelineTriggerJobsSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, MarkdownUploadSchema, DownloadAttachmentSchema, MergeMergeRequestSchema, MyIssuesSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema } from "./schemas.js";
+ListMergeRequestDiscussionsSchema, ListMergeRequestsSchema, ListNamespacesSchema, ListPipelineJobsSchema, ListPipelinesSchema, ListPipelineTriggerJobsSchema, ListProjectMembersSchema, ListProjectMilestonesSchema, ListProjectsSchema, ListWikiPagesSchema, MarkdownUploadSchema, DownloadAttachmentSchema, MergeMergeRequestSchema, MyIssuesSchema, PaginatedDiscussionsResponseSchema, PromoteProjectMilestoneSchema, PublishDraftNoteSchema, PlayPipelineJobSchema, PushFilesSchema, RetryPipelineJobSchema, RetryPipelineSchema, SearchRepositoriesSchema, UpdateDraftNoteSchema, UpdateIssueNoteSchema, UpdateIssueSchema, UpdateLabelSchema, UpdateMergeRequestNoteSchema, UpdateMergeRequestSchema, UpdateWikiPageSchema, VerifyNamespaceSchema, GitLabEventSchema, ListEventsSchema, GetProjectEventsSchema, ExecuteGraphQLSchema, GitLabReleaseSchema, ListReleasesSchema, GetReleaseSchema, CreateReleaseSchema, UpdateReleaseSchema, DeleteReleaseSchema, CreateReleaseEvidenceSchema, DownloadReleaseAssetSchema, } from "./schemas.js";
 import { randomUUID } from "crypto";
 import { pino } from "pino";
 const logger = pino({
@@ -76,6 +77,71 @@ const server = new Server({
         tools: {},
     },
 });
+/**
+ * Validate configuration at startup
+ */
+function validateConfiguration() {
+    const errors = [];
+    // Validate SESSION_TIMEOUT_SECONDS
+    const timeoutStr = process.env.SESSION_TIMEOUT_SECONDS;
+    if (timeoutStr) {
+        const timeout = parseInt(timeoutStr);
+        // Allow values >=1 for testing purposes, but recommend 60-86400 for production
+        if (isNaN(timeout) || timeout < 1 || timeout > 86400) {
+            errors.push(`SESSION_TIMEOUT_SECONDS must be between 1 and 86400 seconds, got: ${timeoutStr}`);
+        }
+        if (timeout < 60) {
+            logger.warn(`SESSION_TIMEOUT_SECONDS=${timeout} is below recommended minimum of 60 seconds. Only use low values for testing.`);
+        }
+    }
+    // Validate MAX_SESSIONS
+    const maxSessionsStr = process.env.MAX_SESSIONS;
+    if (maxSessionsStr) {
+        const maxSessions = parseInt(maxSessionsStr);
+        if (isNaN(maxSessions) || maxSessions < 1 || maxSessions > 10000) {
+            errors.push(`MAX_SESSIONS must be between 1 and 10000, got: ${maxSessionsStr}`);
+        }
+    }
+    // Validate MAX_REQUESTS_PER_MINUTE
+    const maxReqStr = process.env.MAX_REQUESTS_PER_MINUTE;
+    if (maxReqStr) {
+        const maxReq = parseInt(maxReqStr);
+        if (isNaN(maxReq) || maxReq < 1 || maxReq > 1000) {
+            errors.push(`MAX_REQUESTS_PER_MINUTE must be between 1 and 1000, got: ${maxReqStr}`);
+        }
+    }
+    // Validate PORT
+    const portStr = process.env.PORT;
+    if (portStr) {
+        const port = parseInt(portStr);
+        if (isNaN(port) || port < 1 || port > 65535) {
+            errors.push(`PORT must be between 1 and 65535, got: ${portStr}`);
+        }
+    }
+    // Validate GITLAB_API_URL format
+    const apiUrl = process.env.GITLAB_API_URL;
+    if (apiUrl) {
+        try {
+            new URL(apiUrl);
+        }
+        catch (error) {
+            errors.push(`GITLAB_API_URL must be a valid URL, got: ${apiUrl}`);
+        }
+    }
+    // Validate auth configuration
+    const remoteAuth = process.env.REMOTE_AUTHORIZATION === "true";
+    const hasToken = !!process.env.GITLAB_PERSONAL_ACCESS_TOKEN;
+    const hasCookie = !!process.env.GITLAB_AUTH_COOKIE_PATH;
+    if (!remoteAuth && !hasToken && !hasCookie) {
+        errors.push('Either GITLAB_PERSONAL_ACCESS_TOKEN, GITLAB_AUTH_COOKIE_PATH, or REMOTE_AUTHORIZATION=true must be set');
+    }
+    if (errors.length > 0) {
+        logger.error('Configuration validation failed:');
+        errors.forEach(err => logger.error(`  - ${err}`));
+        process.exit(1);
+    }
+    logger.info('Configuration validation passed');
+}
 const GITLAB_PERSONAL_ACCESS_TOKEN = process.env.GITLAB_PERSONAL_ACCESS_TOKEN;
 const GITLAB_AUTH_COOKIE_PATH = process.env.GITLAB_AUTH_COOKIE_PATH;
 const IS_OLD = process.env.GITLAB_IS_OLD === "true";
@@ -86,6 +152,8 @@ const USE_MILESTONE = process.env.USE_MILESTONE === "true";
 const USE_PIPELINE = process.env.USE_PIPELINE === "true";
 const SSE = process.env.SSE === "true";
 const STREAMABLE_HTTP = process.env.STREAMABLE_HTTP === "true";
+const REMOTE_AUTHORIZATION = process.env.REMOTE_AUTHORIZATION === "true";
+const SESSION_TIMEOUT_SECONDS = process.env.SESSION_TIMEOUT_SECONDS ? parseInt(process.env.SESSION_TIMEOUT_SECONDS) : 3600;
 const HOST = process.env.HOST || "0.0.0.0";
 const PORT = process.env.PORT || 3002;
 // Add proxy configuration
@@ -192,20 +260,41 @@ async function ensureSessionForRequest() {
         }
     }
 }
-// Modify DEFAULT_HEADERS to include agent configuration
-const DEFAULT_HEADERS = {
+const sessionAuthStore = new AsyncLocalStorage();
+// Base headers without authentication
+const BASE_HEADERS = {
     Accept: "application/json",
     "Content-Type": "application/json",
 };
-if (IS_OLD) {
-    DEFAULT_HEADERS["Private-Token"] = `${GITLAB_PERSONAL_ACCESS_TOKEN}`;
-}
-else {
-    DEFAULT_HEADERS["Authorization"] = `Bearer ${GITLAB_PERSONAL_ACCESS_TOKEN}`;
+/**
+ * Build authentication headers dynamically based on context
+ * In REMOTE_AUTHORIZATION mode, reads from AsyncLocalStorage session context
+ * Otherwise, uses environment token
+ */
+function buildAuthHeaders() {
+    if (REMOTE_AUTHORIZATION) {
+        const ctx = sessionAuthStore.getStore();
+        if (ctx && ctx.token) {
+            return {
+                [ctx.header]: ctx.header === 'Authorization' ? `Bearer ${ctx.token}` : ctx.token
+            };
+        }
+        return {}; // No auth headers if no session context
+    }
+    // Standard mode: use environment token
+    if (IS_OLD && GITLAB_PERSONAL_ACCESS_TOKEN) {
+        return { 'Private-Token': String(GITLAB_PERSONAL_ACCESS_TOKEN) };
+    }
+    if (GITLAB_PERSONAL_ACCESS_TOKEN) {
+        return { Authorization: `Bearer ${GITLAB_PERSONAL_ACCESS_TOKEN}` };
+    }
+    return {};
 }
 // Create a default fetch configuration object that includes proxy agents if set
 const DEFAULT_FETCH_CONFIG = {
-    headers: DEFAULT_HEADERS,
+    get headers() {
+        return { ...BASE_HEADERS, ...buildAuthHeaders() };
+    },
     agent: (parsedUrl) => {
         if (parsedUrl.protocol === "https:") {
             return httpsAgent;
@@ -221,6 +310,11 @@ const allTools = [
         description: "Merge a merge request in a GitLab project",
         inputSchema: toJSONSchema(MergeMergeRequestSchema),
     },
+    {
+        name: "execute_graphql",
+        description: "Execute a GitLab GraphQL query",
+        inputSchema: zodToJsonSchema(ExecuteGraphQLSchema),
+    },
     {
         name: "create_or_update_file",
         description: "Create or update a single file in a GitLab project",
@@ -656,10 +750,46 @@ const allTools = [
         description: "List all visible events for a specified project. Note: before/after parameters accept date format YYYY-MM-DD only",
         inputSchema: toJSONSchema(GetProjectEventsSchema),
     },
+    {
+        name: "list_releases",
+        description: "List all releases for a project",
+        inputSchema: toJSONSchema(ListReleasesSchema),
+    },
+    {
+        name: "get_release",
+        description: "Get a release by tag name",
+        inputSchema: toJSONSchema(GetReleaseSchema),
+    },
+    {
+        name: "create_release",
+        description: "Create a new release in a GitLab project",
+        inputSchema: toJSONSchema(CreateReleaseSchema),
+    },
+    {
+        name: "update_release",
+        description: "Update an existing release in a GitLab project",
+        inputSchema: toJSONSchema(UpdateReleaseSchema),
+    },
+    {
+        name: "delete_release",
+        description: "Delete a release from a GitLab project (does not delete the associated tag)",
+        inputSchema: toJSONSchema(DeleteReleaseSchema),
+    },
+    {
+        name: "create_release_evidence",
+        description: "Create release evidence for an existing release (GitLab Premium/Ultimate only)",
+        inputSchema: toJSONSchema(CreateReleaseEvidenceSchema),
+    },
+    {
+        name: "download_release_asset",
+        description: "Download a release asset file by direct asset path",
+        inputSchema: toJSONSchema(DownloadReleaseAssetSchema),
+    },
 ];
 // Define which tools are read-only
 const readOnlyTools = [
     "search_repositories",
+    "execute_graphql",
     "get_file_contents",
     "get_merge_request",
     "get_merge_request_diffs",
@@ -704,6 +834,9 @@ const readOnlyTools = [
     "download_attachment",
     "list_events",
     "get_project_events",
+    "list_releases",
+    "get_release",
+    "download_release_asset",
 ];
 // Define which tools are related to wiki and can be toggled by USE_GITLAB_WIKI
 const wikiToolNames = [
@@ -765,9 +898,27 @@ const GITLAB_API_URL = normalizeGitLabApiUrl(process.env.GITLAB_API_URL || "");
 const GITLAB_PROJECT_ID = process.env.GITLAB_PROJECT_ID;
 const GITLAB_ALLOWED_PROJECT_IDS = process.env.GITLAB_ALLOWED_PROJECT_IDS?.split(',').map(id => id.trim()).filter(Boolean) || [];
 const GITLAB_COMMIT_FILES_PER_PAGE = process.env.GITLAB_COMMIT_FILES_PER_PAGE ? parseInt(process.env.GITLAB_COMMIT_FILES_PER_PAGE) : 20;
-if (!GITLAB_PERSONAL_ACCESS_TOKEN) {
-    logger.error("GITLAB_PERSONAL_ACCESS_TOKEN environment variable is not set");
-    process.exit(1);
+// Validate authentication configuration
+if (REMOTE_AUTHORIZATION) {
+    // Remote authorization mode: token comes from HTTP headers
+    if (SSE) {
+        logger.error("REMOTE_AUTHORIZATION=true is not compatible with SSE transport mode");
+        logger.error("Please use STREAMABLE_HTTP=true instead");
+        process.exit(1);
+    }
+    if (!STREAMABLE_HTTP) {
+        logger.error("REMOTE_AUTHORIZATION=true requires STREAMABLE_HTTP=true");
+        logger.error("Set STREAMABLE_HTTP=true to enable remote authorization");
+        process.exit(1);
+    }
+    logger.info("Remote authorization enabled: tokens will be read from HTTP headers");
+}
+else {
+    // Standard mode: token must be in environment
+    if (!GITLAB_PERSONAL_ACCESS_TOKEN) {
+        logger.error("GITLAB_PERSONAL_ACCESS_TOKEN environment variable is not set");
+        process.exit(1);
+    }
 }
 /**
  * Utility function for handling GitLab API errors
@@ -2533,7 +2684,8 @@ async function getPipelineJobOutput(projectId, jobId, limit, offset) {
     const response = await fetch(url.toString(), {
         ...DEFAULT_FETCH_CONFIG,
         headers: {
-            ...DEFAULT_HEADERS,
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
             Accept: "text/plain", // Override Accept header to get plain text
         },
     });
@@ -2581,7 +2733,10 @@ async function createPipeline(projectId, ref, variables) {
     }
     const response = await fetch(url.toString(), {
         method: "POST",
-        headers: DEFAULT_HEADERS,
+        headers: {
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
+        },
         body: JSON.stringify(body),
     });
     await handleGitLabError(response);
@@ -2600,7 +2755,10 @@ async function retryPipeline(projectId, pipelineId) {
     const url = new URL(`${GITLAB_API_URL}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/pipelines/${pipelineId}/retry`);
     const response = await fetch(url.toString(), {
         method: "POST",
-        headers: DEFAULT_HEADERS,
+        headers: {
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
+        },
     });
     await handleGitLabError(response);
     const data = await response.json();
@@ -2618,7 +2776,10 @@ async function cancelPipeline(projectId, pipelineId) {
     const url = new URL(`${GITLAB_API_URL}/projects/${encodeURIComponent(getEffectiveProjectId(projectId))}/pipelines/${pipelineId}/cancel`);
     const response = await fetch(url.toString(), {
         method: "POST",
-        headers: DEFAULT_HEADERS,
+        headers: {
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
+        },
     });
     await handleGitLabError(response);
     const data = await response.json();
@@ -2710,14 +2871,9 @@ async function getRepositoryTree(options) {
     if (options.pagination)
         queryParams.append("pagination", options.pagination);
     const headers = {
-        "Content-Type": "application/json",
+        ...BASE_HEADERS,
+        ...buildAuthHeaders(),
     };
-    if (IS_OLD) {
-        headers["Private-Token"] = `${GITLAB_PERSONAL_ACCESS_TOKEN}`;
-    }
-    else {
-        headers["Authorization"] = `Bearer ${GITLAB_PERSONAL_ACCESS_TOKEN}`;
-    }
     const response = await fetch(`${GITLAB_API_URL}/projects/${encodeURIComponent(getEffectiveProjectId(options.project_id))}/repository/tree?${queryParams.toString()}`, {
         headers,
     });
@@ -3183,7 +3339,8 @@ async function markdownUpload(projectId, filePath) {
     const response = await fetch(url.toString(), {
         method: "POST",
         headers: {
-            ...DEFAULT_HEADERS,
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
             // Remove Content-Type header to let form-data set it with boundary
             "Content-Type": undefined,
         },
@@ -3200,7 +3357,10 @@ async function downloadAttachment(projectId, secret, filename, localPath) {
     const url = new URL(`${GITLAB_API_URL}/projects/${encodeURIComponent(effectiveProjectId)}/uploads/${secret}/${filename}`);
     const response = await fetch(url.toString(), {
         method: "GET",
-        headers: DEFAULT_HEADERS,
+        headers: {
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
+        },
     });
     if (!response.ok) {
         await handleGitLabError(response);
@@ -3228,7 +3388,10 @@ async function listEvents(options = {}) {
     });
     const response = await fetch(url.toString(), {
         method: "GET",
-        headers: DEFAULT_HEADERS,
+        headers: {
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
+        },
     });
     if (!response.ok) {
         await handleGitLabError(response);
@@ -3253,7 +3416,10 @@ async function getProjectEvents(projectId, options = {}) {
     });
     const response = await fetch(url.toString(), {
         method: "GET",
-        headers: DEFAULT_HEADERS,
+        headers: {
+            ...BASE_HEADERS,
+            ...buildAuthHeaders(),
+        },
     });
     if (!response.ok) {
         await handleGitLabError(response);
@@ -3261,6 +3427,134 @@ async function getProjectEvents(projectId, options = {}) {
     const data = await response.json();
     return GitLabEventSchema.array().parse(data);
 }
+/**
+ * List all releases for a project
+ *
+ * @param projectId The ID or URL-encoded path of the project
+ * @param options Optional parameters for listing releases
+ * @returns Array of GitLab releases
+ */
+async function listReleases(projectId, options = {}) {
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    const url = new URL(`${GITLAB_API_URL}/projects/${encodeURIComponent(effectiveProjectId)}/releases`);
+    // Add query parameters
+    Object.entries(options).forEach(([key, value]) => {
+        if (value !== undefined) {
+            url.searchParams.append(key, value.toString());
+        }
+    });
+    const response = await fetch(url.toString(), {
+        ...DEFAULT_FETCH_CONFIG,
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabReleaseSchema.array().parse(data);
+}
+/**
+ * Get a release by tag name
+ *
+ * @param projectId The ID or URL-encoded path of the project
+ * @param tagName The Git tag the release is associated with
+ * @param includeHtmlDescription If true, includes HTML rendered Markdown
+ * @returns GitLab release
+ */
+async function getRelease(projectId, tagName, includeHtmlDescription) {
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    const url = new URL(`${GITLAB_API_URL}/projects/${encodeURIComponent(effectiveProjectId)}/releases/${encodeURIComponent(tagName)}`);
+    if (includeHtmlDescription !== undefined) {
+        url.searchParams.append("include_html_description", includeHtmlDescription.toString());
+    }
+    const response = await fetch(url.toString(), {
+        ...DEFAULT_FETCH_CONFIG,
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabReleaseSchema.parse(data);
+}
+/**
+ * Create a new release
+ *
+ * @param projectId The ID or URL-encoded path of the project
+ * @param options Options for creating the release
+ * @returns Created GitLab release
+ */
+async function createRelease(projectId, options) {
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    const response = await fetch(`${GITLAB_API_URL}/projects/${encodeURIComponent(effectiveProjectId)}/releases`, {
+        ...DEFAULT_FETCH_CONFIG,
+        method: "POST",
+        body: JSON.stringify(options),
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabReleaseSchema.parse(data);
+}
+/**
+ * Update an existing release
+ *
+ * @param projectId The ID or URL-encoded path of the project
+ * @param tagName The Git tag the release is associated with
+ * @param options Options for updating the release
+ * @returns Updated GitLab release
+ */
+async function updateRelease(projectId, tagName, options) {
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    const response = await fetch(`${GITLAB_API_URL}/projects/${encodeURIComponent(effectiveProjectId)}/releases/${encodeURIComponent(tagName)}`, {
+        ...DEFAULT_FETCH_CONFIG,
+        method: "PUT",
+        body: JSON.stringify(options),
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabReleaseSchema.parse(data);
+}
+/**
+ * Delete a release
+ *
+ * @param projectId The ID or URL-encoded path of the project
+ * @param tagName The Git tag the release is associated with
+ * @returns Deleted GitLab release
+ */
+async function deleteRelease(projectId, tagName) {
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    const response = await fetch(`${GITLAB_API_URL}/projects/${encodeURIComponent(effectiveProjectId)}/releases/${encodeURIComponent(tagName)}`, {
+        ...DEFAULT_FETCH_CONFIG,
+        method: "DELETE",
+    });
+    await handleGitLabError(response);
+    const data = await response.json();
+    return GitLabReleaseSchema.parse(data);
+}
+/**
+ * Create release evidence (GitLab Premium/Ultimate only)
+ *
+ * @param projectId The ID or URL-encoded path of the project
+ * @param tagName The Git tag the release is associated with
+ */
+async function createReleaseEvidence(projectId, tagName) {
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    const response = await fetch(`${GITLAB_API_URL}/projects/${encodeURIComponent(effectiveProjectId)}/releases/${encodeURIComponent(tagName)}/evidence`, {
+        ...DEFAULT_FETCH_CONFIG,
+        method: "POST",
+    });
+    await handleGitLabError(response);
+}
+/**
+ * Download a release asset
+ *
+ * @param projectId The ID or URL-encoded path of the project
+ * @param tagName The Git tag the release is associated with
+ * @param directAssetPath Path to the release asset file
+ * @returns The asset file content
+ */
+async function downloadReleaseAsset(projectId, tagName, directAssetPath) {
+    const effectiveProjectId = getEffectiveProjectId(projectId);
+    const response = await fetch(`${GITLAB_API_URL}/projects/${encodeURIComponent(effectiveProjectId)}/releases/${encodeURIComponent(tagName)}/downloads/${directAssetPath}`, {
+        ...DEFAULT_FETCH_CONFIG,
+    });
+    await handleGitLabError(response);
+    return await response.text();
+}
 server.setRequestHandler(ListToolsRequestSchema, async () => {
     // Apply read-only filter first
     const tools0 = GITLAB_READ_ONLY_MODE
@@ -3308,6 +3602,53 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         }
         logger.info(request.params.name);
         switch (request.params.name) {
+            case "execute_graphql": {
+                const args = ExecuteGraphQLSchema.parse(request.params.arguments);
+                const apiUrl = new URL(GITLAB_API_URL);
+                // Build GraphQL endpoint preserving any instance subpath (e.g. /gitlab)
+                const restPath = apiUrl.pathname || ""; // e.g. /api/v4 or /gitlab/api/v4
+                const idx = restPath.lastIndexOf("/api/v4");
+                const prefix = idx >= 0 ? restPath.slice(0, idx) : "";
+                const graphqlUrl = process.env.GITLAB_GRAPHQL_URL || `${apiUrl.origin}${prefix}/api/graphql`;
+                // Add timeout to avoid hanging requests
+                const controller = new AbortController();
+                const timeoutMs = 45000;
+                const timeout = setTimeout(() => controller.abort(), timeoutMs);
+                logger.info({ endpoint: graphqlUrl }, "execute_graphql request");
+                try {
+                    const response = await fetch(graphqlUrl, {
+                        ...DEFAULT_FETCH_CONFIG,
+                        method: "POST",
+                        headers: {
+                            ...BASE_HEADERS,
+                            ...buildAuthHeaders(),
+                        },
+                        body: JSON.stringify({ query: args.query, variables: args.variables || {} }),
+                        signal: controller.signal,
+                    });
+                    if (!response.ok) {
+                        await handleGitLabError(response);
+                    }
+                    const json = await response.json();
+                    return {
+                        content: [{ type: "text", text: JSON.stringify(json, null, 2) }],
+                    };
+                }
+                catch (err) {
+                    const message = err instanceof Error ? err.message : String(err);
+                    return {
+                        content: [
+                            {
+                                type: "text",
+                                text: JSON.stringify({ error: `GraphQL request failed: ${message}` }, null, 2),
+                            },
+                        ],
+                    };
+                }
+                finally {
+                    clearTimeout(timeout);
+                }
+            }
             case "fork_repository": {
                 if (GITLAB_PROJECT_ID) {
                     throw new Error("Direct project ID is set. So fork_repository is not allowed");
@@ -4157,6 +4498,68 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
                     content: [{ type: "text", text: JSON.stringify(events, null, 2) }],
                 };
             }
+            case "list_releases": {
+                const args = ListReleasesSchema.parse(request.params.arguments);
+                const { project_id, ...options } = args;
+                const releases = await listReleases(project_id, options);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(releases, null, 2) }],
+                };
+            }
+            case "get_release": {
+                const args = GetReleaseSchema.parse(request.params.arguments);
+                const release = await getRelease(args.project_id, args.tag_name, args.include_html_description);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(release, null, 2) }],
+                };
+            }
+            case "create_release": {
+                const args = CreateReleaseSchema.parse(request.params.arguments);
+                const { project_id, ...options } = args;
+                const release = await createRelease(project_id, options);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(release, null, 2) }],
+                };
+            }
+            case "update_release": {
+                const args = UpdateReleaseSchema.parse(request.params.arguments);
+                const { project_id, tag_name, ...options } = args;
+                const release = await updateRelease(project_id, tag_name, options);
+                return {
+                    content: [{ type: "text", text: JSON.stringify(release, null, 2) }],
+                };
+            }
+            case "delete_release": {
+                const args = DeleteReleaseSchema.parse(request.params.arguments);
+                const release = await deleteRelease(args.project_id, args.tag_name);
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: JSON.stringify({ status: "success", message: "Release deleted successfully", release }, null, 2),
+                        },
+                    ],
+                };
+            }
+            case "create_release_evidence": {
+                const args = CreateReleaseEvidenceSchema.parse(request.params.arguments);
+                await createReleaseEvidence(args.project_id, args.tag_name);
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: JSON.stringify({ status: "success", message: "Release evidence created successfully" }, null, 2),
+                        },
+                    ],
+                };
+            }
+            case "download_release_asset": {
+                const args = DownloadReleaseAssetSchema.parse(request.params.arguments);
+                const assetContent = await downloadReleaseAsset(args.project_id, args.tag_name, args.direct_asset_path);
+                return {
+                    content: [{ type: "text", text: assetContent }],
+                };
+            }
             default:
                 throw new Error(`Unknown tool: ${request.params.name}`);
         }
@@ -4247,48 +4650,264 @@ async function startSSEServer() {
 async function startStreamableHTTPServer() {
     const app = express();
     const streamableTransports = {};
+    // Session-based auth mapping for remote authorization
+    const authBySession = {};
+    const authTimeouts = {};
+    // Configuration and limits
+    const MAX_SESSIONS = parseInt(process.env.MAX_SESSIONS || '1000');
+    const MAX_REQUESTS_PER_MINUTE = parseInt(process.env.MAX_REQUESTS_PER_MINUTE || '60');
+    // Metrics tracking
+    const metrics = {
+        activeSessions: 0,
+        totalSessions: 0,
+        expiredSessions: 0,
+        authFailures: 0,
+        requestsProcessed: 0,
+        rejectedByRateLimit: 0,
+        rejectedByCapacity: 0,
+    };
+    // Rate limiting per session
+    const sessionRequestCounts = {};
+    /**
+     * Validate token format and length
+     */
+    const validateToken = (token) => {
+        // GitLab PAT format: glpat-xxxxx (min 20 chars)
+        if (token.length < 20)
+            return false;
+        if (!/^[a-zA-Z0-9_-]+$/.test(token))
+            return false;
+        return true;
+    };
+    /**
+     * Check rate limit for session
+     */
+    const checkRateLimit = (sessionId) => {
+        const now = Date.now();
+        const session = sessionRequestCounts[sessionId];
+        if (!session || now > session.resetAt) {
+            sessionRequestCounts[sessionId] = { count: 1, resetAt: now + 60000 };
+            return true;
+        }
+        if (session.count >= MAX_REQUESTS_PER_MINUTE) {
+            return false;
+        }
+        session.count++;
+        return true;
+    };
+    /**
+     * Parse authentication from request headers
+     * Returns null if no auth found or invalid format
+     */
+    const parseAuthHeaders = (req) => {
+        const authHeader = req.headers['authorization'] || '';
+        const privateToken = req.headers['private-token'] || '';
+        if (privateToken) {
+            const token = privateToken.trim();
+            if (!token || !validateToken(token))
+                return null;
+            return { header: 'Private-Token', token, lastUsed: Date.now() };
+        }
+        if (authHeader) {
+            const match = authHeader.match(/^Bearer\s+(.+)$/i);
+            const token = match ? match[1].trim() : '';
+            if (!token || !validateToken(token))
+                return null;
+            return { header: 'Authorization', token, lastUsed: Date.now() };
+        }
+        return null;
+    };
+    /**
+     * Set or reset timeout for session auth
+     * After SESSION_TIMEOUT_SECONDS of inactivity, the auth token is removed
+     * but the transport session remains active
+     */
+    const setAuthTimeout = (sessionId) => {
+        // Clear existing timeout if any
+        clearAuthTimeout(sessionId);
+        // Set new timeout
+        authTimeouts[sessionId] = setTimeout(() => {
+            if (authBySession[sessionId]) {
+                logger.info(`Session ${sessionId}: auth token expired after ${SESSION_TIMEOUT_SECONDS}s of inactivity`);
+                delete authBySession[sessionId];
+                delete authTimeouts[sessionId];
+                metrics.expiredSessions++;
+            }
+        }, SESSION_TIMEOUT_SECONDS * 1000);
+    };
+    /**
+     * Clear timeout for session auth
+     */
+    const clearAuthTimeout = (sessionId) => {
+        const timeout = authTimeouts[sessionId];
+        if (timeout) {
+            clearTimeout(timeout);
+            delete authTimeouts[sessionId];
+        }
+    };
+    /**
+     * Clean up session auth data
+     */
+    const cleanupSessionAuth = (sessionId) => {
+        delete authBySession[sessionId];
+        clearAuthTimeout(sessionId);
+    };
     // Configure Express middleware
     app.use(express.json());
     // Streamable HTTP endpoint - handles both session creation and message handling
     app.post("/mcp", async (req, res) => {
         const sessionId = req.headers["mcp-session-id"];
-        try {
-            let transport;
-            if (sessionId && streamableTransports[sessionId]) {
-                // Reuse existing transport for ongoing session
-                transport = streamableTransports[sessionId];
-                await transport.handleRequest(req, res, req.body);
+        // Track request
+        metrics.requestsProcessed++;
+        // Rate limiting check for existing sessions
+        if (REMOTE_AUTHORIZATION && sessionId && !checkRateLimit(sessionId)) {
+            metrics.rejectedByRateLimit++;
+            res.status(429).json({
+                error: 'Rate limit exceeded',
+                message: `Maximum ${MAX_REQUESTS_PER_MINUTE} requests per minute allowed`
+            });
+            return;
+        }
+        // Capacity check for new sessions
+        if (!sessionId && Object.keys(streamableTransports).length >= MAX_SESSIONS) {
+            metrics.rejectedByCapacity++;
+            res.status(503).json({
+                error: 'Server capacity reached',
+                message: `Maximum ${MAX_SESSIONS} concurrent sessions allowed. Please try again later.`
+            });
+            return;
+        }
+        // Handle remote authorization: extract and store auth headers per session
+        if (REMOTE_AUTHORIZATION) {
+            const authData = parseAuthHeaders(req);
+            if (sessionId && !authBySession[sessionId]) {
+                // New session: require auth headers
+                if (!authData) {
+                    metrics.authFailures++;
+                    res.status(401).json({
+                        error: 'Missing Authorization or Private-Token header',
+                        message: 'Remote authorization is enabled. Please provide Authorization or Private-Token header.'
+                    });
+                    return;
+                }
+                // Store auth for this session
+                authBySession[sessionId] = authData;
+                logger.info(`Session ${sessionId}: stored ${authData.header} header`);
+                setAuthTimeout(sessionId);
             }
-            else {
-                // Create new transport for new session
-                transport = new StreamableHTTPServerTransport({
-                    sessionIdGenerator: () => randomUUID(),
-                    onsessioninitialized: (newSessionId) => {
-                        streamableTransports[newSessionId] = transport;
-                        logger.warn(`Streamable HTTP session initialized: ${newSessionId}`);
-                    },
+            else if (sessionId && authData) {
+                // Existing session: allow auth rotation/update
+                authBySession[sessionId] = authData;
+                logger.debug(`Session ${sessionId}: updated ${authData.header} header`);
+                setAuthTimeout(sessionId);
+            }
+            else if (sessionId && authBySession[sessionId]) {
+                // Existing session with stored auth: update last used time and reset timeout
+                authBySession[sessionId].lastUsed = Date.now();
+                setAuthTimeout(sessionId);
+            }
+            else if (!sessionId && !authData) {
+                // First request without session - will fail in initialization
+            }
+        }
+        // Wrap request handling in AsyncLocalStorage context
+        const handleRequestWithAuth = async () => {
+            try {
+                let transport;
+                if (sessionId && streamableTransports[sessionId]) {
+                    // Reuse existing transport for ongoing session
+                    transport = streamableTransports[sessionId];
+                    await transport.handleRequest(req, res, req.body);
+                }
+                else {
+                    // Create new transport for new session
+                    transport = new StreamableHTTPServerTransport({
+                        sessionIdGenerator: () => randomUUID(),
+                        onsessioninitialized: (newSessionId) => {
+                            streamableTransports[newSessionId] = transport;
+                            metrics.totalSessions++;
+                            metrics.activeSessions++;
+                            logger.warn(`Streamable HTTP session initialized: ${newSessionId}`);
+                            // Store auth for newly created session in remote mode
+                            if (REMOTE_AUTHORIZATION && !authBySession[newSessionId]) {
+                                const authData = parseAuthHeaders(req);
+                                if (authData) {
+                                    authBySession[newSessionId] = authData;
+                                    logger.info(`Session ${newSessionId}: stored ${authData.header} header`);
+                                    setAuthTimeout(newSessionId);
+                                }
+                            }
+                        },
+                    });
+                    // Set up cleanup handler when transport closes
+                    transport.onclose = () => {
+                        const sid = transport.sessionId;
+                        if (sid && streamableTransports[sid]) {
+                            logger.warn(`Streamable HTTP transport closed for session ${sid}, cleaning up`);
+                            delete streamableTransports[sid];
+                            metrics.activeSessions--;
+                            if (REMOTE_AUTHORIZATION) {
+                                cleanupSessionAuth(sid);
+                                delete sessionRequestCounts[sid];
+                                logger.info(`Session ${sid}: cleaned up auth mapping`);
+                            }
+                        }
+                    };
+                    // Connect transport to MCP server before handling the request
+                    await server.connect(transport);
+                    await transport.handleRequest(req, res, req.body);
+                }
+            }
+            catch (error) {
+                logger.error("Streamable HTTP error:", error);
+                res.status(500).json({
+                    error: "Internal server error",
+                    message: error instanceof Error ? error.message : "Unknown error",
                 });
-                // Set up cleanup handler when transport closes
-                transport.onclose = () => {
-                    const sid = transport.sessionId;
-                    if (sid && streamableTransports[sid]) {
-                        logger.warn(`Streamable HTTP transport closed for session ${sid}, cleaning up`);
-                        delete streamableTransports[sid];
-                    }
-                };
-                // Connect transport to MCP server before handling the request
-                await server.connect(transport);
-                await transport.handleRequest(req, res, req.body);
             }
+        };
+        // Execute with auth context in remote mode
+        if (REMOTE_AUTHORIZATION && sessionId && authBySession[sessionId]) {
+            const authData = authBySession[sessionId];
+            const ctx = {
+                sessionId,
+                header: authData.header,
+                token: authData.token,
+                lastUsed: authData.lastUsed
+            };
+            await sessionAuthStore.run(ctx, handleRequestWithAuth);
         }
-        catch (error) {
-            logger.error("Streamable HTTP error:", error);
-            res.status(500).json({
-                error: "Internal server error",
-                message: error instanceof Error ? error.message : "Unknown error",
-            });
+        else {
+            // Standard execution (no remote auth or no session yet)
+            await handleRequestWithAuth();
         }
     });
+    // Metrics endpoint
+    app.get("/metrics", (_req, res) => {
+        res.json({
+            ...metrics,
+            activeSessions: Object.keys(streamableTransports).length,
+            authenticatedSessions: Object.keys(authBySession).length,
+            uptime: process.uptime(),
+            memoryUsage: process.memoryUsage(),
+            config: {
+                maxSessions: MAX_SESSIONS,
+                maxRequestsPerMinute: MAX_REQUESTS_PER_MINUTE,
+                sessionTimeoutSeconds: SESSION_TIMEOUT_SECONDS,
+                remoteAuthEnabled: REMOTE_AUTHORIZATION,
+            }
+        });
+    });
+    // Health check endpoint
+    app.get("/health", (_req, res) => {
+        const isHealthy = Object.keys(streamableTransports).length < MAX_SESSIONS;
+        res.status(isHealthy ? 200 : 503).json({
+            status: isHealthy ? 'healthy' : 'degraded',
+            activeSessions: Object.keys(streamableTransports).length,
+            maxSessions: MAX_SESSIONS,
+            uptime: process.uptime(),
+        });
+    });
     // to delete a mcp server session explicitly
     app.delete("/mcp", async (req, res) => {
         const sessionId = req.headers["mcp-session-id"];
@@ -4301,6 +4920,11 @@ async function startStreamableHTTPServer() {
             try {
                 await transport.close();
                 logger.info(`Explicitly closed session via DELETE request: ${sessionId}`);
+                if (REMOTE_AUTHORIZATION) {
+                    cleanupSessionAuth(sessionId);
+                    delete sessionRequestCounts[sessionId];
+                    logger.info(`Session ${sessionId}: cleaned up auth mapping on DELETE`);
+                }
                 res.status(204).send();
             }
             catch (error) {
@@ -4312,20 +4936,47 @@ async function startStreamableHTTPServer() {
             res.status(404).json({ error: "Session not found" });
         }
     });
-    // Health check endpoint
-    app.get("/health", (_, res) => {
-        res.status(200).json({
-            status: "healthy",
-            version: SERVER_VERSION,
-            transport: TransportMode.STREAMABLE_HTTP,
-            activeSessions: Object.keys(streamableTransports).length,
-        });
-    });
     // Start server
-    app.listen(Number(PORT), HOST, () => {
+    const httpServer = app.listen(Number(PORT), HOST, () => {
         logger.info(`GitLab MCP Server running with Streamable HTTP transport`);
         logger.info(`${colorGreen}Endpoint: http://${HOST}:${PORT}/mcp${colorReset}`);
     });
+    // Graceful shutdown handler
+    const gracefulShutdown = async (signal) => {
+        logger.info(`${signal} received, starting graceful shutdown...`);
+        // Stop accepting new connections
+        httpServer.close(() => {
+            logger.info('HTTP server closed');
+        });
+        // Close all active sessions
+        const sessionIds = Object.keys(streamableTransports);
+        logger.info(`Closing ${sessionIds.length} active sessions...`);
+        const closePromises = sessionIds.map(async (sessionId) => {
+            try {
+                const transport = streamableTransports[sessionId];
+                if (transport) {
+                    await transport.close();
+                    if (REMOTE_AUTHORIZATION) {
+                        cleanupSessionAuth(sessionId);
+                        delete sessionRequestCounts[sessionId];
+                    }
+                }
+            }
+            catch (error) {
+                logger.error(`Error closing session ${sessionId}:`, error);
+            }
+        });
+        await Promise.allSettled(closePromises);
+        // Clear all timeouts
+        Object.keys(authTimeouts).forEach(sessionId => {
+            clearAuthTimeout(sessionId);
+        });
+        logger.info('Graceful shutdown complete');
+        process.exit(0);
+    };
+    // Register signal handlers
+    process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
+    process.on('SIGINT', () => gracefulShutdown('SIGINT'));
 }
 /**
  * Initialize server with specific transport mode
@@ -4358,6 +5009,8 @@ async function initializeServerByTransportMode(mode) {
  */
 async function runServer() {
     try {
+        // Validate configuration before starting server
+        validateConfiguration();
         const transportMode = determineTransportMode();
         await initializeServerByTransportMode(transportMode);
     }